Vendorize all recent changes to minio-go (#7135)

- Default support for S3 dualstack endpoints (IPv6 support)
- Support granular policy conditionals in List operations
- Support proxy cookies for stickiness

docs/sts/client-grants.go

@@ -22,7 +22,6 @@ import (
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
-	"encoding/xml"
 	"flag"
 	"fmt"
 	"log"
@@ -32,37 +31,8 @@ import (
 
 	minio "github.com/minio/minio-go"
 	"github.com/minio/minio-go/pkg/credentials"
-	"github.com/minio/minio/pkg/auth"
 )
 
-// AssumedRoleUser - The identifiers for the temporary security credentials that
-// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
-type AssumedRoleUser struct {
-	Arn           string
-	AssumedRoleID string `xml:"AssumeRoleId"`
-	// contains filtered or unexported fields
-}
-
-// AssumeRoleWithClientGrantsResponse contains the result of successful AssumeRoleWithClientGrants request.
-type AssumeRoleWithClientGrantsResponse struct {
-	XMLName          xml.Name           `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithClientGrantsResponse" json:"-"`
-	Result           ClientGrantsResult `xml:"AssumeRoleWithClientGrantsResult"`
-	ResponseMetadata struct {
-		RequestID string `xml:"RequestId,omitempty"`
-	} `xml:"ResponseMetadata,omitempty"`
-}
-
-// ClientGrantsResult - Contains the response to a successful AssumeRoleWithClientGrants
-// request, including temporary credentials that can be used to make Minio API requests.
-type ClientGrantsResult struct {
-	AssumedRoleUser              AssumedRoleUser  `xml:",omitempty"`
-	Audience                     string           `xml:",omitempty"`
-	Credentials                  auth.Credentials `xml:",omitempty"`
-	PackedPolicySize             int              `xml:",omitempty"`
-	Provider                     string           `xml:",omitempty"`
-	SubjectFromClientGrantsToken string           `xml:",omitempty"`
-}
-
 // JWTToken - parses the output from IDP access token.
 type JWTToken struct {
 	AccessToken string `json:"access_token"`
@@ -83,18 +53,12 @@ func init() {
 	flag.StringVar(&clientSecret, "csec", "", "Client secret")
 }
 
-func main() {
+func getTokenExpiry() (*credentials.ClientGrantsToken, error) {
-	flag.Parse()
-	if clientID == "" || clientSecret == "" {
-		flag.PrintDefaults()
-		return
-	}
-
 	data := url.Values{}
 	data.Set("grant_type", "client_credentials")
 	req, err := http.NewRequest(http.MethodPost, idpEndpoint, strings.NewReader(data.Encode()))
 	if err != nil {
-		log.Fatal(err)
+		return nil, err
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth(clientID, clientSecret)
@@ -108,65 +72,45 @@ func main() {
 	}
 	resp, err := hclient.Do(req)
 	if err != nil {
-		log.Fatal(err)
+		return nil, err
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		log.Fatal(resp.Status)
+		return nil, fmt.Errorf("%s", resp.Status)
 	}
 
 	var idpToken JWTToken
 	if err = json.NewDecoder(resp.Body).Decode(&idpToken); err != nil {
+		return nil, err
+	}
+
+	return &credentials.ClientGrantsToken{Token: idpToken.AccessToken, Expiry: idpToken.Expiry}, nil
+}
+
+func main() {
+	flag.Parse()
+	if clientID == "" || clientSecret == "" {
+		flag.PrintDefaults()
+		return
+	}
+
+	sts, err := credentials.NewSTSClientGrants(stsEndpoint, getTokenExpiry)
+	if err != nil {
 		log.Fatal(err)
 	}
 
-	v := url.Values{}
+	// Uncommend this to use Minio API operations by initializing minio
-	v.Set("Action", "AssumeRoleWithClientGrants")
+	// client with obtained credentials.
-	v.Set("Token", idpToken.AccessToken)
+
-	v.Set("DurationSeconds", fmt.Sprintf("%d", idpToken.Expiry))
+	opts := &minio.Options{
-	v.Set("Version", "2011-06-15")
+		Creds:        sts,
+		BucketLookup: minio.BucketLookupAuto,
+	}
 
 	u, err := url.Parse(stsEndpoint)
 	if err != nil {
 		log.Fatal(err)
 	}
-	u.RawQuery = v.Encode()
-
-	req, err = http.NewRequest("POST", u.String(), nil)
-	if err != nil {
-		log.Fatal(err)
-	}
-	resp, err = http.DefaultClient.Do(req)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		log.Fatal(resp.Status)
-	}
-
-	a := AssumeRoleWithClientGrantsResponse{}
-	if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
-		log.Fatal(err)
-	}
-
-	fmt.Println("##### Credentials")
-	c, err := json.MarshalIndent(a.Result.Credentials, "", "\t")
-	if err != nil {
-		log.Fatal(err)
-	}
-	fmt.Println(string(c))
-
-	// Uncommend this to use Minio API operations by initializin minio
-	// client with obtained credentials.
-
-	opts := &minio.Options{
-		Creds: credentials.NewStaticV4(a.Result.Credentials.AccessKey,
-			a.Result.Credentials.SecretKey,
-			a.Result.Credentials.SessionToken,
-		),
-		BucketLookup: minio.BucketLookupAuto,
-	}
 
 	clnt, err := minio.NewWithOptions(u.Host, opts)
 	if err != nil {

vendor/github.com/minio/minio-go/api-list.go

@@ -192,18 +192,16 @@ func (c Client) listObjectsV2Query(bucketName, objectPrefix, continuationToken s
 	// Always set list-type in ListObjects V2
 	urlValues.Set("list-type", "2")
 
-	// Set object prefix.
+	// Set object prefix, prefix value to be set to empty is okay.
-	if objectPrefix != "" {
 	urlValues.Set("prefix", objectPrefix)
-	}
+
+	// Set delimiter, delimiter value to be set to empty is okay.
+	urlValues.Set("delimiter", delimiter)
+
 	// Set continuation token
 	if continuationToken != "" {
 		urlValues.Set("continuation-token", continuationToken)
 	}
-	// Set delimiter.
-	if delimiter != "" {
-		urlValues.Set("delimiter", delimiter)
-	}
 
 	// Fetch owner when listing
 	if fetchOwner {
@@ -380,18 +378,17 @@ func (c Client) listObjectsQuery(bucketName, objectPrefix, objectMarker, delimit
 	// Get resources properly escaped and lined up before
 	// using them in http request.
 	urlValues := make(url.Values)
-	// Set object prefix.
+
-	if objectPrefix != "" {
+	// Set object prefix, prefix value to be set to empty is okay.
 	urlValues.Set("prefix", objectPrefix)
-	}
+
+	// Set delimiter, delimiter value to be set to empty is okay.
+	urlValues.Set("delimiter", delimiter)
+
 	// Set object marker.
 	if objectMarker != "" {
 		urlValues.Set("marker", objectMarker)
 	}
-	// Set delimiter.
-	if delimiter != "" {
-		urlValues.Set("delimiter", delimiter)
-	}
 
 	// maxkeys should default to 1000 or less.
 	if maxkeys == 0 || maxkeys > 1000 {
@@ -563,14 +560,12 @@ func (c Client) listMultipartUploadsQuery(bucketName, keyMarker, uploadIDMarker,
 	if uploadIDMarker != "" {
 		urlValues.Set("upload-id-marker", uploadIDMarker)
 	}
-	// Set prefix marker.
+
-	if prefix != "" {
+	// Set object prefix, prefix value to be set to empty is okay.
 	urlValues.Set("prefix", prefix)
-	}
+
-	// Set delimiter.
+	// Set delimiter, delimiter value to be set to empty is okay.
-	if delimiter != "" {
 	urlValues.Set("delimiter", delimiter)
-	}
 
 	// maxUploads should be 1000 or less.
 	if maxUploads == 0 || maxUploads > 1000 {

vendor/github.com/minio/minio-go/api-select.go

@@ -191,13 +191,20 @@ type StatsMessage struct {
 	BytesReturned  int64
 }
 
+// messageType represents the type of message.
+type messageType string
+
+const (
+	errorMsg  messageType = "error"
+	commonMsg             = "event"
+)
+
 // eventType represents the type of event.
 type eventType string
 
 // list of event-types returned by Select API.
 const (
 	endEvent      eventType = "End"
-	errorEvent              = "Error"
 	recordsEvent            = "Records"
 	progressEvent           = "Progress"
 	statsEvent              = "Stats"
@@ -314,6 +321,14 @@ func (s *SelectResults) start(pipeWriter *io.PipeWriter) {
 			// bytes can be read or parsed.
 			payloadLen := prelude.PayloadLen()
 
+			m := messageType(headers.Get("message-type"))
+
+			switch m {
+			case errorMsg:
+				pipeWriter.CloseWithError(errors.New("Error Type of " + headers.Get("error-type") + " " + headers.Get("error-message")))
+				closeResponse(s.resp)
+				return
+			case commonMsg:
 				// Get content-type of the payload.
 				c := contentType(headers.Get("content-type"))
 
@@ -326,10 +341,6 @@ func (s *SelectResults) start(pipeWriter *io.PipeWriter) {
 					pipeWriter.Close()
 					closeResponse(s.resp)
 					return
-			case errorEvent:
-				pipeWriter.CloseWithError(errors.New("Error Type of " + headers.Get("error-type") + " " + headers.Get("error-message")))
-				closeResponse(s.resp)
-				return
 				case recordsEvent:
 					if _, err = io.Copy(pipeWriter, io.LimitReader(crcReader, payloadLen)); err != nil {
 						pipeWriter.CloseWithError(err)
@@ -363,6 +374,7 @@ func (s *SelectResults) start(pipeWriter *io.PipeWriter) {
 						return
 					}
 				}
+			}
 
 			// Ensures that the full message's CRC is correct and
 			// that the message is not corrupted

vendor/github.com/minio/minio-go/api.go

@@ -30,6 +30,7 @@ import (
 	"math/rand"
 	"net"
 	"net/http"
+	"net/http/cookiejar"
 	"net/http/httputil"
 	"net/url"
 	"os"
@@ -38,6 +39,8 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/net/publicsuffix"
+
 	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/minio/minio-go/pkg/s3signer"
 	"github.com/minio/minio-go/pkg/s3utils"
@@ -99,7 +102,7 @@ type Options struct {
 // Global constants.
 const (
 	libraryName    = "minio-go"
-	libraryVersion = "v6.0.11"
+	libraryVersion = "v6.0.14"
 )
 
 // User Agent should always following the below style.
@@ -273,6 +276,13 @@ func privateNew(endpoint string, creds *credentials.Credentials, secure bool, re
 		return nil, err
 	}
 
+	// Initialize cookies to preserve server sent cookies if any and replay
+	// them upon each request.
+	jar, err := cookiejar.New(&cookiejar.Options{PublicSuffixList: publicsuffix.List})
+	if err != nil {
+		return nil, err
+	}
+
 	// instantiate new Client.
 	clnt := new(Client)
 
@@ -287,6 +297,7 @@ func privateNew(endpoint string, creds *credentials.Credentials, secure bool, re
 
 	// Instantiate http client and bucket location cache.
 	clnt.httpClient = &http.Client{
+		Jar:           jar,
 		Transport:     DefaultTransport,
 		CheckRedirect: clnt.redirectHeaders,
 	}

vendor/github.com/minio/minio-go/pkg/credentials/iam_aws.go

@@ -67,9 +67,7 @@ func getEndpoint(endpoint string) (string, bool) {
 	return defaultIAMRoleEndpoint, false
 }
 
-// NewIAM returns a pointer to a new Credentials object wrapping
+// NewIAM returns a pointer to a new Credentials object wrapping the IAM.
-// the IAM. Takes a ConfigProvider to create a EC2Metadata client.
-// The ConfigProvider is satisfied by the session.Session type.
 func NewIAM(endpoint string) *Credentials {
 	p := &IAM{
 		Client: &http.Client{

vendor/github.com/minio/minio-go/pkg/credentials/sts_client_grants.go

@@ -0,0 +1,165 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2019 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+// AssumedRoleUser - The identifiers for the temporary security credentials that
+// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
+type AssumedRoleUser struct {
+	Arn           string
+	AssumedRoleID string `xml:"AssumeRoleId"`
+}
+
+// AssumeRoleWithClientGrantsResponse contains the result of successful AssumeRoleWithClientGrants request.
+type AssumeRoleWithClientGrantsResponse struct {
+	XMLName          xml.Name           `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithClientGrantsResponse" json:"-"`
+	Result           ClientGrantsResult `xml:"AssumeRoleWithClientGrantsResult"`
+	ResponseMetadata struct {
+		RequestID string `xml:"RequestId,omitempty"`
+	} `xml:"ResponseMetadata,omitempty"`
+}
+
+// ClientGrantsResult - Contains the response to a successful AssumeRoleWithClientGrants
+// request, including temporary credentials that can be used to make Minio API requests.
+type ClientGrantsResult struct {
+	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
+	Audience        string          `xml:",omitempty"`
+	Credentials     struct {
+		AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+		SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+		Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+		SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+	} `xml:",omitempty"`
+	PackedPolicySize             int    `xml:",omitempty"`
+	Provider                     string `xml:",omitempty"`
+	SubjectFromClientGrantsToken string `xml:",omitempty"`
+}
+
+// ClientGrantsToken - client grants token with expiry.
+type ClientGrantsToken struct {
+	// access token returned after authenticating client grants
+	Token string
+	// expiry for the access token returned after authenticating
+	// client grants.
+	Expiry int
+}
+
+// A STSClientGrants retrieves credentials from Minio service, and keeps track if
+// those credentials are expired.
+type STSClientGrants struct {
+	Expiry
+
+	// Required http Client to use when connecting to Minio STS service.
+	Client *http.Client
+
+	// Minio endpoint to fetch STS credentials.
+	stsEndpoint string
+
+	// getClientGrantsTokenExpiry function to retrieve tokens
+	// from IDP This function should return two values one is
+	// accessToken which is a self contained access token (JWT)
+	// and second return value is the expiry associated with
+	// this token. This is a customer provided function and
+	// is mandatory.
+	getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)
+}
+
+// NewSTSClientGrants returns a pointer to a new
+// Credentials object wrapping the STSClientGrants.
+func NewSTSClientGrants(stsEndpoint string, getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)) (*Credentials, error) {
+	if stsEndpoint == "" {
+		return nil, errors.New("STS endpoint cannot be empty")
+	}
+	if getClientGrantsTokenExpiry == nil {
+		return nil, errors.New("Client grants access token and expiry retrieval function should be defined")
+	}
+	return New(&STSClientGrants{
+		Client: &http.Client{
+			Transport: http.DefaultTransport,
+		},
+		stsEndpoint:                stsEndpoint,
+		getClientGrantsTokenExpiry: getClientGrantsTokenExpiry,
+	}), nil
+}
+
+func getClientGrantsCredentials(clnt *http.Client, endpoint string,
+	getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)) (AssumeRoleWithClientGrantsResponse, error) {
+
+	accessToken, err := getClientGrantsTokenExpiry()
+	if err != nil {
+		return AssumeRoleWithClientGrantsResponse{}, err
+	}
+
+	v := url.Values{}
+	v.Set("Action", "AssumeRoleWithClientGrants")
+	v.Set("Token", accessToken.Token)
+	v.Set("DurationSeconds", fmt.Sprintf("%d", accessToken.Expiry))
+	v.Set("Version", "2011-06-15")
+
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		return AssumeRoleWithClientGrantsResponse{}, err
+	}
+	u.RawQuery = v.Encode()
+
+	req, err := http.NewRequest("POST", u.String(), nil)
+	if err != nil {
+		return AssumeRoleWithClientGrantsResponse{}, err
+	}
+	resp, err := clnt.Do(req)
+	if err != nil {
+		return AssumeRoleWithClientGrantsResponse{}, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return AssumeRoleWithClientGrantsResponse{}, errors.New(resp.Status)
+	}
+
+	a := AssumeRoleWithClientGrantsResponse{}
+	if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
+		return AssumeRoleWithClientGrantsResponse{}, err
+	}
+	return a, nil
+}
+
+// Retrieve retrieves credentials from the Minio service.
+// Error will be returned if the request fails.
+func (m *STSClientGrants) Retrieve() (Value, error) {
+	a, err := getClientGrantsCredentials(m.Client, m.stsEndpoint, m.getClientGrantsTokenExpiry)
+	if err != nil {
+		return Value{}, err
+	}
+
+	// Expiry window is set to 10secs.
+	m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)
+
+	return Value{
+		AccessKeyID:     a.Result.Credentials.AccessKey,
+		SecretAccessKey: a.Result.Credentials.SecretKey,
+		SessionToken:    a.Result.Credentials.SessionToken,
+		SignerType:      SignatureV4,
+	}, nil
+}

vendor/github.com/minio/minio-go/pkg/credentials/sts_web_identity.go

@@ -0,0 +1,161 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2019 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+// AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
+type AssumeRoleWithWebIdentityResponse struct {
+	XMLName          xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
+	Result           WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
+	ResponseMetadata struct {
+		RequestID string `xml:"RequestId,omitempty"`
+	} `xml:"ResponseMetadata,omitempty"`
+}
+
+// WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity
+// request, including temporary credentials that can be used to make Minio API requests.
+type WebIdentityResult struct {
+	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
+	Audience        string          `xml:",omitempty"`
+	Credentials     struct {
+		AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+		SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+		Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+		SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+	} `xml:",omitempty"`
+	PackedPolicySize            int    `xml:",omitempty"`
+	Provider                    string `xml:",omitempty"`
+	SubjectFromWebIdentityToken string `xml:",omitempty"`
+}
+
+// WebIdentityToken - web identity token with expiry.
+type WebIdentityToken struct {
+	// access token returned after authenticating web identity.
+	Token string
+	// expiry for the access token returned after authenticating
+	// web identity.
+	Expiry int
+}
+
+// A STSWebIdentity retrieves credentials from Minio service, and keeps track if
+// those credentials are expired.
+type STSWebIdentity struct {
+	Expiry
+
+	// Required http Client to use when connecting to Minio STS service.
+	Client *http.Client
+
+	// Minio endpoint to fetch STS credentials.
+	stsEndpoint string
+
+	// getWebIDTokenExpiry function which returns ID tokens
+	// from IDP. This function should return two values one
+	// is ID token which is a self contained ID token (JWT)
+	// and second return value is the expiry associated with
+	// this token.
+	// This is a customer provided function and is mandatory.
+	getWebIDTokenExpiry func() (*WebIdentityToken, error)
+}
+
+// NewSTSWebIdentity returns a pointer to a new
+// Credentials object wrapping the STSWebIdentity.
+func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error)) (*Credentials, error) {
+	if stsEndpoint == "" {
+		return nil, errors.New("STS endpoint cannot be empty")
+	}
+	if getWebIDTokenExpiry == nil {
+		return nil, errors.New("Web ID token and expiry retrieval function should be defined")
+	}
+	return New(&STSWebIdentity{
+		Client: &http.Client{
+			Transport: http.DefaultTransport,
+		},
+		stsEndpoint:         stsEndpoint,
+		getWebIDTokenExpiry: getWebIDTokenExpiry,
+	}), nil
+}
+
+func getWebIdentityCredentials(clnt *http.Client, endpoint string,
+	getWebIDTokenExpiry func() (*WebIdentityToken, error)) (AssumeRoleWithWebIdentityResponse, error) {
+	idToken, err := getWebIDTokenExpiry()
+	if err != nil {
+		return AssumeRoleWithWebIdentityResponse{}, err
+	}
+
+	v := url.Values{}
+	v.Set("Action", "AssumeRoleWithWebIdentity")
+	v.Set("WebIdentityToken", idToken.Token)
+	v.Set("DurationSeconds", fmt.Sprintf("%d", idToken.Expiry))
+	v.Set("Version", "2011-06-15")
+
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		return AssumeRoleWithWebIdentityResponse{}, err
+	}
+
+	u.RawQuery = v.Encode()
+
+	req, err := http.NewRequest("POST", u.String(), nil)
+	if err != nil {
+		return AssumeRoleWithWebIdentityResponse{}, err
+	}
+
+	resp, err := clnt.Do(req)
+	if err != nil {
+		return AssumeRoleWithWebIdentityResponse{}, err
+	}
+
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return AssumeRoleWithWebIdentityResponse{}, errors.New(resp.Status)
+	}
+
+	a := AssumeRoleWithWebIdentityResponse{}
+	if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
+		return AssumeRoleWithWebIdentityResponse{}, err
+	}
+
+	return a, nil
+}
+
+// Retrieve retrieves credentials from the Minio service.
+// Error will be returned if the request fails.
+func (m *STSWebIdentity) Retrieve() (Value, error) {
+	a, err := getWebIdentityCredentials(m.Client, m.stsEndpoint, m.getWebIDTokenExpiry)
+	if err != nil {
+		return Value{}, err
+	}
+
+	// Expiry window is set to 10secs.
+	m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)
+
+	return Value{
+		AccessKeyID:     a.Result.Credentials.AccessKey,
+		SecretAccessKey: a.Result.Credentials.SecretKey,
+		SessionToken:    a.Result.Credentials.SessionToken,
+		SignerType:      SignatureV4,
+	}, nil
+}

vendor/github.com/minio/minio-go/s3-endpoints.go

@@ -19,22 +19,24 @@ package minio
 
 // awsS3EndpointMap Amazon S3 endpoint map.
 var awsS3EndpointMap = map[string]string{
-	"us-east-1":      "s3.amazonaws.com",
+	"us-east-1":      "s3.dualstack.us-east-1.amazonaws.com",
-	"us-east-2":      "s3-us-east-2.amazonaws.com",
+	"us-east-2":      "s3.dualstack.us-east-2.amazonaws.com",
-	"us-west-2":      "s3-us-west-2.amazonaws.com",
+	"us-west-2":      "s3.dualstack.us-west-2.amazonaws.com",
-	"us-west-1":      "s3-us-west-1.amazonaws.com",
+	"us-west-1":      "s3.dualstack.us-west-1.amazonaws.com",
-	"ca-central-1":   "s3-ca-central-1.amazonaws.com",
+	"ca-central-1":   "s3.dualstack.ca-central-1.amazonaws.com",
-	"eu-west-1":      "s3-eu-west-1.amazonaws.com",
+	"eu-west-1":      "s3.dualstack.eu-west-1.amazonaws.com",
-	"eu-west-2":      "s3-eu-west-2.amazonaws.com",
+	"eu-west-2":      "s3.dualstack.eu-west-2.amazonaws.com",
-	"eu-west-3":      "s3-eu-west-3.amazonaws.com",
+	"eu-west-3":      "s3.dualstack.eu-west-3.amazonaws.com",
-	"eu-central-1":   "s3-eu-central-1.amazonaws.com",
+	"eu-central-1":   "s3.dualstack.eu-central-1.amazonaws.com",
-	"ap-south-1":     "s3-ap-south-1.amazonaws.com",
+	"eu-north-1":     "s3.dualstack.eu-north-1.amazonaws.com",
-	"ap-southeast-1": "s3-ap-southeast-1.amazonaws.com",
+	"ap-south-1":     "s3.dualstack.ap-south-1.amazonaws.com",
-	"ap-southeast-2": "s3-ap-southeast-2.amazonaws.com",
+	"ap-southeast-1": "s3.dualstack.ap-southeast-1.amazonaws.com",
-	"ap-northeast-1": "s3-ap-northeast-1.amazonaws.com",
+	"ap-southeast-2": "s3.dualstack.ap-southeast-2.amazonaws.com",
-	"ap-northeast-2": "s3-ap-northeast-2.amazonaws.com",
+	"ap-northeast-1": "s3.dualstack.ap-northeast-1.amazonaws.com",
-	"sa-east-1":      "s3-sa-east-1.amazonaws.com",
+	"ap-northeast-2": "s3.dualstack.ap-northeast-2.amazonaws.com",
-	"us-gov-west-1":  "s3-us-gov-west-1.amazonaws.com",
+	"sa-east-1":      "s3.dualstack.sa-east-1.amazonaws.com",
+	"us-gov-west-1":  "s3.dualstack.us-gov-west-1.amazonaws.com",
+	"us-gov-east-1":  "s3.dualstack.us-gov-east-1.amazonaws.com",
 	"cn-north-1":     "s3.cn-north-1.amazonaws.com.cn",
 	"cn-northwest-1": "s3.cn-northwest-1.amazonaws.com.cn",
 }
@@ -43,8 +45,8 @@ var awsS3EndpointMap = map[string]string{
 func getS3Endpoint(bucketLocation string) (s3Endpoint string) {
 	s3Endpoint, ok := awsS3EndpointMap[bucketLocation]
 	if !ok {
-		// Default to 's3.amazonaws.com' endpoint.
+		// Default to 's3.dualstack.us-east-1.amazonaws.com' endpoint.
-		s3Endpoint = "s3.amazonaws.com"
+		s3Endpoint = "s3.dualstack.us-east-1.amazonaws.com"
 	}
 	return s3Endpoint
 }

vendor/golang.org/x/net/publicsuffix/gen.go

@@ -0,0 +1,713 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build ignore
+
+package main
+
+// This program generates table.go and table_test.go based on the authoritative
+// public suffix list at https://publicsuffix.org/list/effective_tld_names.dat
+//
+// The version is derived from
+// https://api.github.com/repos/publicsuffix/list/commits?path=public_suffix_list.dat
+// and a human-readable form is at
+// https://github.com/publicsuffix/list/commits/master/public_suffix_list.dat
+//
+// To fetch a particular git revision, such as 5c70ccd250, pass
+// -url "https://raw.githubusercontent.com/publicsuffix/list/5c70ccd250/public_suffix_list.dat"
+// and -version "an explicit version string".
+
+import (
+	"bufio"
+	"bytes"
+	"flag"
+	"fmt"
+	"go/format"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"regexp"
+	"sort"
+	"strings"
+
+	"golang.org/x/net/idna"
+)
+
+const (
+	// These sum of these four values must be no greater than 32.
+	nodesBitsChildren   = 10
+	nodesBitsICANN      = 1
+	nodesBitsTextOffset = 15
+	nodesBitsTextLength = 6
+
+	// These sum of these four values must be no greater than 32.
+	childrenBitsWildcard = 1
+	childrenBitsNodeType = 2
+	childrenBitsHi       = 14
+	childrenBitsLo       = 14
+)
+
+var (
+	maxChildren   int
+	maxTextOffset int
+	maxTextLength int
+	maxHi         uint32
+	maxLo         uint32
+)
+
+func max(a, b int) int {
+	if a < b {
+		return b
+	}
+	return a
+}
+
+func u32max(a, b uint32) uint32 {
+	if a < b {
+		return b
+	}
+	return a
+}
+
+const (
+	nodeTypeNormal     = 0
+	nodeTypeException  = 1
+	nodeTypeParentOnly = 2
+	numNodeType        = 3
+)
+
+func nodeTypeStr(n int) string {
+	switch n {
+	case nodeTypeNormal:
+		return "+"
+	case nodeTypeException:
+		return "!"
+	case nodeTypeParentOnly:
+		return "o"
+	}
+	panic("unreachable")
+}
+
+const (
+	defaultURL   = "https://publicsuffix.org/list/effective_tld_names.dat"
+	gitCommitURL = "https://api.github.com/repos/publicsuffix/list/commits?path=public_suffix_list.dat"
+)
+
+var (
+	labelEncoding = map[string]uint32{}
+	labelsList    = []string{}
+	labelsMap     = map[string]bool{}
+	rules         = []string{}
+
+	// validSuffixRE is used to check that the entries in the public suffix
+	// list are in canonical form (after Punycode encoding). Specifically,
+	// capital letters are not allowed.
+	validSuffixRE = regexp.MustCompile(`^[a-z0-9_\!\*\-\.]+$`)
+
+	shaRE  = regexp.MustCompile(`"sha":"([^"]+)"`)
+	dateRE = regexp.MustCompile(`"committer":{[^{]+"date":"([^"]+)"`)
+
+	comments = flag.Bool("comments", false, "generate table.go comments, for debugging")
+	subset   = flag.Bool("subset", false, "generate only a subset of the full table, for debugging")
+	url      = flag.String("url", defaultURL, "URL of the publicsuffix.org list. If empty, stdin is read instead")
+	v        = flag.Bool("v", false, "verbose output (to stderr)")
+	version  = flag.String("version", "", "the effective_tld_names.dat version")
+)
+
+func main() {
+	if err := main1(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func main1() error {
+	flag.Parse()
+	if nodesBitsTextLength+nodesBitsTextOffset+nodesBitsICANN+nodesBitsChildren > 32 {
+		return fmt.Errorf("not enough bits to encode the nodes table")
+	}
+	if childrenBitsLo+childrenBitsHi+childrenBitsNodeType+childrenBitsWildcard > 32 {
+		return fmt.Errorf("not enough bits to encode the children table")
+	}
+	if *version == "" {
+		if *url != defaultURL {
+			return fmt.Errorf("-version was not specified, and the -url is not the default one")
+		}
+		sha, date, err := gitCommit()
+		if err != nil {
+			return err
+		}
+		*version = fmt.Sprintf("publicsuffix.org's public_suffix_list.dat, git revision %s (%s)", sha, date)
+	}
+	var r io.Reader = os.Stdin
+	if *url != "" {
+		res, err := http.Get(*url)
+		if err != nil {
+			return err
+		}
+		if res.StatusCode != http.StatusOK {
+			return fmt.Errorf("bad GET status for %s: %d", *url, res.Status)
+		}
+		r = res.Body
+		defer res.Body.Close()
+	}
+
+	var root node
+	icann := false
+	br := bufio.NewReader(r)
+	for {
+		s, err := br.ReadString('\n')
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return err
+		}
+		s = strings.TrimSpace(s)
+		if strings.Contains(s, "BEGIN ICANN DOMAINS") {
+			icann = true
+			continue
+		}
+		if strings.Contains(s, "END ICANN DOMAINS") {
+			icann = false
+			continue
+		}
+		if s == "" || strings.HasPrefix(s, "//") {
+			continue
+		}
+		s, err = idna.ToASCII(s)
+		if err != nil {
+			return err
+		}
+		if !validSuffixRE.MatchString(s) {
+			return fmt.Errorf("bad publicsuffix.org list data: %q", s)
+		}
+
+		if *subset {
+			switch {
+			case s == "ac.jp" || strings.HasSuffix(s, ".ac.jp"):
+			case s == "ak.us" || strings.HasSuffix(s, ".ak.us"):
+			case s == "ao" || strings.HasSuffix(s, ".ao"):
+			case s == "ar" || strings.HasSuffix(s, ".ar"):
+			case s == "arpa" || strings.HasSuffix(s, ".arpa"):
+			case s == "cy" || strings.HasSuffix(s, ".cy"):
+			case s == "dyndns.org" || strings.HasSuffix(s, ".dyndns.org"):
+			case s == "jp":
+			case s == "kobe.jp" || strings.HasSuffix(s, ".kobe.jp"):
+			case s == "kyoto.jp" || strings.HasSuffix(s, ".kyoto.jp"):
+			case s == "om" || strings.HasSuffix(s, ".om"):
+			case s == "uk" || strings.HasSuffix(s, ".uk"):
+			case s == "uk.com" || strings.HasSuffix(s, ".uk.com"):
+			case s == "tw" || strings.HasSuffix(s, ".tw"):
+			case s == "zw" || strings.HasSuffix(s, ".zw"):
+			case s == "xn--p1ai" || strings.HasSuffix(s, ".xn--p1ai"):
+				// xn--p1ai is Russian-Cyrillic "рф".
+			default:
+				continue
+			}
+		}
+
+		rules = append(rules, s)
+
+		nt, wildcard := nodeTypeNormal, false
+		switch {
+		case strings.HasPrefix(s, "*."):
+			s, nt = s[2:], nodeTypeParentOnly
+			wildcard = true
+		case strings.HasPrefix(s, "!"):
+			s, nt = s[1:], nodeTypeException
+		}
+		labels := strings.Split(s, ".")
+		for n, i := &root, len(labels)-1; i >= 0; i-- {
+			label := labels[i]
+			n = n.child(label)
+			if i == 0 {
+				if nt != nodeTypeParentOnly && n.nodeType == nodeTypeParentOnly {
+					n.nodeType = nt
+				}
+				n.icann = n.icann && icann
+				n.wildcard = n.wildcard || wildcard
+			}
+			labelsMap[label] = true
+		}
+	}
+	labelsList = make([]string, 0, len(labelsMap))
+	for label := range labelsMap {
+		labelsList = append(labelsList, label)
+	}
+	sort.Strings(labelsList)
+
+	if err := generate(printReal, &root, "table.go"); err != nil {
+		return err
+	}
+	if err := generate(printTest, &root, "table_test.go"); err != nil {
+		return err
+	}
+	return nil
+}
+
+func generate(p func(io.Writer, *node) error, root *node, filename string) error {
+	buf := new(bytes.Buffer)
+	if err := p(buf, root); err != nil {
+		return err
+	}
+	b, err := format.Source(buf.Bytes())
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(filename, b, 0644)
+}
+
+func gitCommit() (sha, date string, retErr error) {
+	res, err := http.Get(gitCommitURL)
+	if err != nil {
+		return "", "", err
+	}
+	if res.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("bad GET status for %s: %d", gitCommitURL, res.Status)
+	}
+	defer res.Body.Close()
+	b, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return "", "", err
+	}
+	if m := shaRE.FindSubmatch(b); m != nil {
+		sha = string(m[1])
+	}
+	if m := dateRE.FindSubmatch(b); m != nil {
+		date = string(m[1])
+	}
+	if sha == "" || date == "" {
+		retErr = fmt.Errorf("could not find commit SHA and date in %s", gitCommitURL)
+	}
+	return sha, date, retErr
+}
+
+func printTest(w io.Writer, n *node) error {
+	fmt.Fprintf(w, "// generated by go run gen.go; DO NOT EDIT\n\n")
+	fmt.Fprintf(w, "package publicsuffix\n\nvar rules = [...]string{\n")
+	for _, rule := range rules {
+		fmt.Fprintf(w, "%q,\n", rule)
+	}
+	fmt.Fprintf(w, "}\n\nvar nodeLabels = [...]string{\n")
+	if err := n.walk(w, printNodeLabel); err != nil {
+		return err
+	}
+	fmt.Fprintf(w, "}\n")
+	return nil
+}
+
+func printReal(w io.Writer, n *node) error {
+	const header = `// generated by go run gen.go; DO NOT EDIT
+
+package publicsuffix
+
+const version = %q
+
+const (
+	nodesBitsChildren   = %d
+	nodesBitsICANN      = %d
+	nodesBitsTextOffset = %d
+	nodesBitsTextLength = %d
+
+	childrenBitsWildcard = %d
+	childrenBitsNodeType = %d
+	childrenBitsHi       = %d
+	childrenBitsLo       = %d
+)
+
+const (
+	nodeTypeNormal     = %d
+	nodeTypeException  = %d
+	nodeTypeParentOnly = %d
+)
+
+// numTLD is the number of top level domains.
+const numTLD = %d
+
+`
+	fmt.Fprintf(w, header, *version,
+		nodesBitsChildren, nodesBitsICANN, nodesBitsTextOffset, nodesBitsTextLength,
+		childrenBitsWildcard, childrenBitsNodeType, childrenBitsHi, childrenBitsLo,
+		nodeTypeNormal, nodeTypeException, nodeTypeParentOnly, len(n.children))
+
+	text := combineText(labelsList)
+	if text == "" {
+		return fmt.Errorf("internal error: makeText returned no text")
+	}
+	for _, label := range labelsList {
+		offset, length := strings.Index(text, label), len(label)
+		if offset < 0 {
+			return fmt.Errorf("internal error: could not find %q in text %q", label, text)
+		}
+		maxTextOffset, maxTextLength = max(maxTextOffset, offset), max(maxTextLength, length)
+		if offset >= 1<<nodesBitsTextOffset {
+			return fmt.Errorf("text offset %d is too large, or nodeBitsTextOffset is too small", offset)
+		}
+		if length >= 1<<nodesBitsTextLength {
+			return fmt.Errorf("text length %d is too large, or nodeBitsTextLength is too small", length)
+		}
+		labelEncoding[label] = uint32(offset)<<nodesBitsTextLength | uint32(length)
+	}
+	fmt.Fprintf(w, "// Text is the combined text of all labels.\nconst text = ")
+	for len(text) > 0 {
+		n, plus := len(text), ""
+		if n > 64 {
+			n, plus = 64, " +"
+		}
+		fmt.Fprintf(w, "%q%s\n", text[:n], plus)
+		text = text[n:]
+	}
+
+	if err := n.walk(w, assignIndexes); err != nil {
+		return err
+	}
+
+	fmt.Fprintf(w, `
+
+// nodes is the list of nodes. Each node is represented as a uint32, which
+// encodes the node's children, wildcard bit and node type (as an index into
+// the children array), ICANN bit and text.
+//
+// If the table was generated with the -comments flag, there is a //-comment
+// after each node's data. In it is the nodes-array indexes of the children,
+// formatted as (n0x1234-n0x1256), with * denoting the wildcard bit. The
+// nodeType is printed as + for normal, ! for exception, and o for parent-only
+// nodes that have children but don't match a domain label in their own right.
+// An I denotes an ICANN domain.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[%2d bits] unused
+//	[%2d bits] children index
+//	[%2d bits] ICANN bit
+//	[%2d bits] text index
+//	[%2d bits] text length
+var nodes = [...]uint32{
+`,
+		32-nodesBitsChildren-nodesBitsICANN-nodesBitsTextOffset-nodesBitsTextLength,
+		nodesBitsChildren, nodesBitsICANN, nodesBitsTextOffset, nodesBitsTextLength)
+	if err := n.walk(w, printNode); err != nil {
+		return err
+	}
+	fmt.Fprintf(w, `}
+
+// children is the list of nodes' children, the parent's wildcard bit and the
+// parent's node type. If a node has no children then their children index
+// will be in the range [0, 6), depending on the wildcard bit and node type.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[%2d bits] unused
+//	[%2d bits] wildcard bit
+//	[%2d bits] node type
+//	[%2d bits] high nodes index (exclusive) of children
+//	[%2d bits] low nodes index (inclusive) of children
+var children=[...]uint32{
+`,
+		32-childrenBitsWildcard-childrenBitsNodeType-childrenBitsHi-childrenBitsLo,
+		childrenBitsWildcard, childrenBitsNodeType, childrenBitsHi, childrenBitsLo)
+	for i, c := range childrenEncoding {
+		s := "---------------"
+		lo := c & (1<<childrenBitsLo - 1)
+		hi := (c >> childrenBitsLo) & (1<<childrenBitsHi - 1)
+		if lo != hi {
+			s = fmt.Sprintf("n0x%04x-n0x%04x", lo, hi)
+		}
+		nodeType := int(c>>(childrenBitsLo+childrenBitsHi)) & (1<<childrenBitsNodeType - 1)
+		wildcard := c>>(childrenBitsLo+childrenBitsHi+childrenBitsNodeType) != 0
+		if *comments {
+			fmt.Fprintf(w, "0x%08x, // c0x%04x (%s)%s %s\n",
+				c, i, s, wildcardStr(wildcard), nodeTypeStr(nodeType))
+		} else {
+			fmt.Fprintf(w, "0x%x,\n", c)
+		}
+	}
+	fmt.Fprintf(w, "}\n\n")
+	fmt.Fprintf(w, "// max children %d (capacity %d)\n", maxChildren, 1<<nodesBitsChildren-1)
+	fmt.Fprintf(w, "// max text offset %d (capacity %d)\n", maxTextOffset, 1<<nodesBitsTextOffset-1)
+	fmt.Fprintf(w, "// max text length %d (capacity %d)\n", maxTextLength, 1<<nodesBitsTextLength-1)
+	fmt.Fprintf(w, "// max hi %d (capacity %d)\n", maxHi, 1<<childrenBitsHi-1)
+	fmt.Fprintf(w, "// max lo %d (capacity %d)\n", maxLo, 1<<childrenBitsLo-1)
+	return nil
+}
+
+type node struct {
+	label    string
+	nodeType int
+	icann    bool
+	wildcard bool
+	// nodesIndex and childrenIndex are the index of this node in the nodes
+	// and the index of its children offset/length in the children arrays.
+	nodesIndex, childrenIndex int
+	// firstChild is the index of this node's first child, or zero if this
+	// node has no children.
+	firstChild int
+	// children are the node's children, in strictly increasing node label order.
+	children []*node
+}
+
+func (n *node) walk(w io.Writer, f func(w1 io.Writer, n1 *node) error) error {
+	if err := f(w, n); err != nil {
+		return err
+	}
+	for _, c := range n.children {
+		if err := c.walk(w, f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// child returns the child of n with the given label. The child is created if
+// it did not exist beforehand.
+func (n *node) child(label string) *node {
+	for _, c := range n.children {
+		if c.label == label {
+			return c
+		}
+	}
+	c := &node{
+		label:    label,
+		nodeType: nodeTypeParentOnly,
+		icann:    true,
+	}
+	n.children = append(n.children, c)
+	sort.Sort(byLabel(n.children))
+	return c
+}
+
+type byLabel []*node
+
+func (b byLabel) Len() int           { return len(b) }
+func (b byLabel) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
+func (b byLabel) Less(i, j int) bool { return b[i].label < b[j].label }
+
+var nextNodesIndex int
+
+// childrenEncoding are the encoded entries in the generated children array.
+// All these pre-defined entries have no children.
+var childrenEncoding = []uint32{
+	0 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeNormal.
+	1 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeException.
+	2 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeParentOnly.
+	4 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeNormal.
+	5 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeException.
+	6 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeParentOnly.
+}
+
+var firstCallToAssignIndexes = true
+
+func assignIndexes(w io.Writer, n *node) error {
+	if len(n.children) != 0 {
+		// Assign nodesIndex.
+		n.firstChild = nextNodesIndex
+		for _, c := range n.children {
+			c.nodesIndex = nextNodesIndex
+			nextNodesIndex++
+		}
+
+		// The root node's children is implicit.
+		if firstCallToAssignIndexes {
+			firstCallToAssignIndexes = false
+			return nil
+		}
+
+		// Assign childrenIndex.
+		maxChildren = max(maxChildren, len(childrenEncoding))
+		if len(childrenEncoding) >= 1<<nodesBitsChildren {
+			return fmt.Errorf("children table size %d is too large, or nodeBitsChildren is too small", len(childrenEncoding))
+		}
+		n.childrenIndex = len(childrenEncoding)
+		lo := uint32(n.firstChild)
+		hi := lo + uint32(len(n.children))
+		maxLo, maxHi = u32max(maxLo, lo), u32max(maxHi, hi)
+		if lo >= 1<<childrenBitsLo {
+			return fmt.Errorf("children lo %d is too large, or childrenBitsLo is too small", lo)
+		}
+		if hi >= 1<<childrenBitsHi {
+			return fmt.Errorf("children hi %d is too large, or childrenBitsHi is too small", hi)
+		}
+		enc := hi<<childrenBitsLo | lo
+		enc |= uint32(n.nodeType) << (childrenBitsLo + childrenBitsHi)
+		if n.wildcard {
+			enc |= 1 << (childrenBitsLo + childrenBitsHi + childrenBitsNodeType)
+		}
+		childrenEncoding = append(childrenEncoding, enc)
+	} else {
+		n.childrenIndex = n.nodeType
+		if n.wildcard {
+			n.childrenIndex += numNodeType
+		}
+	}
+	return nil
+}
+
+func printNode(w io.Writer, n *node) error {
+	for _, c := range n.children {
+		s := "---------------"
+		if len(c.children) != 0 {
+			s = fmt.Sprintf("n0x%04x-n0x%04x", c.firstChild, c.firstChild+len(c.children))
+		}
+		encoding := labelEncoding[c.label]
+		if c.icann {
+			encoding |= 1 << (nodesBitsTextLength + nodesBitsTextOffset)
+		}
+		encoding |= uint32(c.childrenIndex) << (nodesBitsTextLength + nodesBitsTextOffset + nodesBitsICANN)
+		if *comments {
+			fmt.Fprintf(w, "0x%08x, // n0x%04x c0x%04x (%s)%s %s %s %s\n",
+				encoding, c.nodesIndex, c.childrenIndex, s, wildcardStr(c.wildcard),
+				nodeTypeStr(c.nodeType), icannStr(c.icann), c.label,
+			)
+		} else {
+			fmt.Fprintf(w, "0x%x,\n", encoding)
+		}
+	}
+	return nil
+}
+
+func printNodeLabel(w io.Writer, n *node) error {
+	for _, c := range n.children {
+		fmt.Fprintf(w, "%q,\n", c.label)
+	}
+	return nil
+}
+
+func icannStr(icann bool) string {
+	if icann {
+		return "I"
+	}
+	return " "
+}
+
+func wildcardStr(wildcard bool) string {
+	if wildcard {
+		return "*"
+	}
+	return " "
+}
+
+// combineText combines all the strings in labelsList to form one giant string.
+// Overlapping strings will be merged: "arpa" and "parliament" could yield
+// "arparliament".
+func combineText(labelsList []string) string {
+	beforeLength := 0
+	for _, s := range labelsList {
+		beforeLength += len(s)
+	}
+
+	text := crush(removeSubstrings(labelsList))
+	if *v {
+		fmt.Fprintf(os.Stderr, "crushed %d bytes to become %d bytes\n", beforeLength, len(text))
+	}
+	return text
+}
+
+type byLength []string
+
+func (s byLength) Len() int           { return len(s) }
+func (s byLength) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+func (s byLength) Less(i, j int) bool { return len(s[i]) < len(s[j]) }
+
+// removeSubstrings returns a copy of its input with any strings removed
+// that are substrings of other provided strings.
+func removeSubstrings(input []string) []string {
+	// Make a copy of input.
+	ss := append(make([]string, 0, len(input)), input...)
+	sort.Sort(byLength(ss))
+
+	for i, shortString := range ss {
+		// For each string, only consider strings higher than it in sort order, i.e.
+		// of equal length or greater.
+		for _, longString := range ss[i+1:] {
+			if strings.Contains(longString, shortString) {
+				ss[i] = ""
+				break
+			}
+		}
+	}
+
+	// Remove the empty strings.
+	sort.Strings(ss)
+	for len(ss) > 0 && ss[0] == "" {
+		ss = ss[1:]
+	}
+	return ss
+}
+
+// crush combines a list of strings, taking advantage of overlaps. It returns a
+// single string that contains each input string as a substring.
+func crush(ss []string) string {
+	maxLabelLen := 0
+	for _, s := range ss {
+		if maxLabelLen < len(s) {
+			maxLabelLen = len(s)
+		}
+	}
+
+	for prefixLen := maxLabelLen; prefixLen > 0; prefixLen-- {
+		prefixes := makePrefixMap(ss, prefixLen)
+		for i, s := range ss {
+			if len(s) <= prefixLen {
+				continue
+			}
+			mergeLabel(ss, i, prefixLen, prefixes)
+		}
+	}
+
+	return strings.Join(ss, "")
+}
+
+// mergeLabel merges the label at ss[i] with the first available matching label
+// in prefixMap, where the last "prefixLen" characters in ss[i] match the first
+// "prefixLen" characters in the matching label.
+// It will merge ss[i] repeatedly until no more matches are available.
+// All matching labels merged into ss[i] are replaced by "".
+func mergeLabel(ss []string, i, prefixLen int, prefixes prefixMap) {
+	s := ss[i]
+	suffix := s[len(s)-prefixLen:]
+	for _, j := range prefixes[suffix] {
+		// Empty strings mean "already used." Also avoid merging with self.
+		if ss[j] == "" || i == j {
+			continue
+		}
+		if *v {
+			fmt.Fprintf(os.Stderr, "%d-length overlap at (%4d,%4d): %q and %q share %q\n",
+				prefixLen, i, j, ss[i], ss[j], suffix)
+		}
+		ss[i] += ss[j][prefixLen:]
+		ss[j] = ""
+		// ss[i] has a new suffix, so merge again if possible.
+		// Note: we only have to merge again at the same prefix length. Shorter
+		// prefix lengths will be handled in the next iteration of crush's for loop.
+		// Can there be matches for longer prefix lengths, introduced by the merge?
+		// I believe that any such matches would by necessity have been eliminated
+		// during substring removal or merged at a higher prefix length. For
+		// instance, in crush("abc", "cde", "bcdef"), combining "abc" and "cde"
+		// would yield "abcde", which could be merged with "bcdef." However, in
+		// practice "cde" would already have been elimintated by removeSubstrings.
+		mergeLabel(ss, i, prefixLen, prefixes)
+		return
+	}
+}
+
+// prefixMap maps from a prefix to a list of strings containing that prefix. The
+// list of strings is represented as indexes into a slice of strings stored
+// elsewhere.
+type prefixMap map[string][]int
+
+// makePrefixMap constructs a prefixMap from a slice of strings.
+func makePrefixMap(ss []string, prefixLen int) prefixMap {
+	prefixes := make(prefixMap)
+	for i, s := range ss {
+		// We use < rather than <= because if a label matches on a prefix equal to
+		// its full length, that's actually a substring match handled by
+		// removeSubstrings.
+		if prefixLen < len(s) {
+			prefix := s[:prefixLen]
+			prefixes[prefix] = append(prefixes[prefix], i)
+		}
+	}
+
+	return prefixes
+}

vendor/golang.org/x/net/publicsuffix/list.go

@@ -0,0 +1,135 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run gen.go
+
+// Package publicsuffix provides a public suffix list based on data from
+// http://publicsuffix.org/. A public suffix is one under which Internet users
+// can directly register names.
+package publicsuffix // import "golang.org/x/net/publicsuffix"
+
+// TODO: specify case sensitivity and leading/trailing dot behavior for
+// func PublicSuffix and func EffectiveTLDPlusOne.
+
+import (
+	"fmt"
+	"net/http/cookiejar"
+	"strings"
+)
+
+// List implements the cookiejar.PublicSuffixList interface by calling the
+// PublicSuffix function.
+var List cookiejar.PublicSuffixList = list{}
+
+type list struct{}
+
+func (list) PublicSuffix(domain string) string {
+	ps, _ := PublicSuffix(domain)
+	return ps
+}
+
+func (list) String() string {
+	return version
+}
+
+// PublicSuffix returns the public suffix of the domain using a copy of the
+// publicsuffix.org database compiled into the library.
+//
+// icann is whether the public suffix is managed by the Internet Corporation
+// for Assigned Names and Numbers. If not, the public suffix is privately
+// managed. For example, foo.org and foo.co.uk are ICANN domains,
+// foo.dyndns.org and foo.blogspot.co.uk are private domains.
+//
+// Use cases for distinguishing ICANN domains like foo.com from private
+// domains like foo.appspot.com can be found at
+// https://wiki.mozilla.org/Public_Suffix_List/Use_Cases
+func PublicSuffix(domain string) (publicSuffix string, icann bool) {
+	lo, hi := uint32(0), uint32(numTLD)
+	s, suffix, wildcard := domain, len(domain), false
+loop:
+	for {
+		dot := strings.LastIndex(s, ".")
+		if wildcard {
+			suffix = 1 + dot
+		}
+		if lo == hi {
+			break
+		}
+		f := find(s[1+dot:], lo, hi)
+		if f == notFound {
+			break
+		}
+
+		u := nodes[f] >> (nodesBitsTextOffset + nodesBitsTextLength)
+		icann = u&(1<<nodesBitsICANN-1) != 0
+		u >>= nodesBitsICANN
+		u = children[u&(1<<nodesBitsChildren-1)]
+		lo = u & (1<<childrenBitsLo - 1)
+		u >>= childrenBitsLo
+		hi = u & (1<<childrenBitsHi - 1)
+		u >>= childrenBitsHi
+		switch u & (1<<childrenBitsNodeType - 1) {
+		case nodeTypeNormal:
+			suffix = 1 + dot
+		case nodeTypeException:
+			suffix = 1 + len(s)
+			break loop
+		}
+		u >>= childrenBitsNodeType
+		wildcard = u&(1<<childrenBitsWildcard-1) != 0
+
+		if dot == -1 {
+			break
+		}
+		s = s[:dot]
+	}
+	if suffix == len(domain) {
+		// If no rules match, the prevailing rule is "*".
+		return domain[1+strings.LastIndex(domain, "."):], icann
+	}
+	return domain[suffix:], icann
+}
+
+const notFound uint32 = 1<<32 - 1
+
+// find returns the index of the node in the range [lo, hi) whose label equals
+// label, or notFound if there is no such node. The range is assumed to be in
+// strictly increasing node label order.
+func find(label string, lo, hi uint32) uint32 {
+	for lo < hi {
+		mid := lo + (hi-lo)/2
+		s := nodeLabel(mid)
+		if s < label {
+			lo = mid + 1
+		} else if s == label {
+			return mid
+		} else {
+			hi = mid
+		}
+	}
+	return notFound
+}
+
+// nodeLabel returns the label for the i'th node.
+func nodeLabel(i uint32) string {
+	x := nodes[i]
+	length := x & (1<<nodesBitsTextLength - 1)
+	x >>= nodesBitsTextLength
+	offset := x & (1<<nodesBitsTextOffset - 1)
+	return text[offset : offset+length]
+}
+
+// EffectiveTLDPlusOne returns the effective top level domain plus one more
+// label. For example, the eTLD+1 for "foo.bar.golang.org" is "golang.org".
+func EffectiveTLDPlusOne(domain string) (string, error) {
+	suffix, _ := PublicSuffix(domain)
+	if len(domain) <= len(suffix) {
+		return "", fmt.Errorf("publicsuffix: cannot derive eTLD+1 for domain %q", domain)
+	}
+	i := len(domain) - len(suffix) - 1
+	if domain[i] != '.' {
+		return "", fmt.Errorf("publicsuffix: invalid public suffix %q for domain %q", suffix, domain)
+	}
+	return domain[1+strings.LastIndex(domain[:i], "."):], nil
+}

vendor/vendor.json

@@ -602,46 +602,46 @@
 			"revisionTime": "2016-02-29T08:42:30-08:00"
 		},
 		{
-			"checksumSHA1": "iiDPCgPen0lGZrkUw7qwoz7bFNU=",
+			"checksumSHA1": "Sbze8wr7T6Avtc+4K8BbcHlIx4E=",
 			"path": "github.com/minio/minio-go",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
-			"checksumSHA1": "+Zp42S4+zz4vVF2jDZw9UPbSLt8=",
+			"checksumSHA1": "kgQZ7iWmuKVboL2d4DUU9l5isng=",
 			"path": "github.com/minio/minio-go/pkg/credentials",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
 			"checksumSHA1": "Md5pOKYfoKtrG7xNvs2FtiDPfDc=",
 			"path": "github.com/minio/minio-go/pkg/encrypt",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
-			"checksumSHA1": "BxFHeQVFZ0t/ZFBJTeM2uegFZI8=",
+			"checksumSHA1": "6D/qMFV+e39L+6aeT+Seq1guohM=",
 			"path": "github.com/minio/minio-go/pkg/policy",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
 			"checksumSHA1": "bbWjcrOQsV57qK+BSsrNAsI+Q/o=",
 			"path": "github.com/minio/minio-go/pkg/s3signer",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
-			"checksumSHA1": "7iUaZkEJdhkyAu3F07vrX8pyavI=",
+			"checksumSHA1": "UQLtl8GIFr1lcHlM7KluYdU3JQg=",
 			"path": "github.com/minio/minio-go/pkg/s3utils",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
 			"checksumSHA1": "Wt8ej+rZXTdNBR9Xyw1eGo3Iq5o=",
 			"path": "github.com/minio/minio-go/pkg/set",
-			"revision": "39381cf62425050629c7264228fc2f9e0c6616f6",
+			"revision": "a42b0e14697ffdcb4ef223384c1cac12738f574f",
-			"revisionTime": "2018-11-15T04:56:45Z"
+			"revisionTime": "2019-01-20T10:05:29Z"
 		},
 		{
 			"checksumSHA1": "pxgHNx36gpRdhSqtaE5fqp7lrAA=",
@@ -1134,6 +1134,12 @@
 			"revision": "1e06a53dbb7e2ed46e91183f219db23c6943c532",
 			"revisionTime": "2018-12-20T03:20:21Z"
 		},
+		{
+			"checksumSHA1": "bMhIYx4Cgl6jit4Y2PW+dKsrFuU=",
+			"path": "golang.org/x/net/publicsuffix",
+			"revision": "afe8f62b1d6bbd81f31868121a50b06d8188e1f9",
+			"revisionTime": "2018-06-20T20:20:43Z"
+		},
 		{
 			"checksumSHA1": "9EZG3s2eOREO7WkBvigjk57wK/8=",
 			"path": "golang.org/x/net/trace",